Security Awareness Training – How to do it properly

The 2009 CSI Computer Crime survey, one of the most respected reports covering insider threats, says insiders are responsible for 43 percent of malicious attacks. Twenty-five percent of respondents said that over 60 percent of their losses were due to non-malicious actions by insiders.

It is well known that staff (user) education is one of the most paramount and important aspects of delivering and maintaining a successful Information Security programme to any organisation (and one of the hardest to deliver).A successful awareness training programme intends to educate users on how to safely work on computer systems within your business environment and how to adhere to security policies and principals laid out from management.

This standard programme aims to cut the 60 percent of non-malicious insider attacks stated above. What about the 43 percent which were intentional? A security awareness programme usually can’t cater for that. I will try and outline below some strategies you can implement to bring that potential down within your ogranisation.

I try to point out ways that your organisation can increase your security posture by both educating users, and keeping them happy. (Sounds far fetched, I know)

Awareness training is plagued with issues. Organisations tend to either ‘do it wrong’ or ‘not do it at all’. Why do I think this is the case?

The individuals tasked with educating users on security threats may not be ‘qualified’ enough to do so, or they lack the understanding of ‘real risk’ and how it relates to ‘their company’.

Staff usually consider this a chore and may either not take it seriously, or ‘forget about it’, as it is not of interest to them.

The users may feel that they receive no real benefit from this. They can’t see how it relates to their daily tasks. It is just another ‘boring requirement’.

The educator may be skilled in technical security, but may fail to break down principals in a way users understand.

The organisation may be doing this purely to adhere to regulations or compliance, and only ‘do enough’ to stay compliant, with no real emphasis of the on-going security within the organisation (this is a common one).

So you have two sides of the coin…

Heads: What IT Manager or CSO likes spending their day with groups of staff in the boardroom, going over PowerPoint presentations on security and trying to keep the masses engaged enough to actually listen? If they wanted to be a kindergarten teacher, I am sure they wouldn’t be standing in that boardroom. No one listens to you any way right? You just find yourself reading off a slide in a monotone voice, counting the hours until you can go home and crack a beer.

Tails:What employee wants to be taken away from their daily tasks to sit in a ‘boring IT meeting’ which is compulsory to attend? While you are at the front of the class trying to educate, they will be either too busy concentrating on the piles of paper which are piling onto their desk, or better yet, concentrating on what to do to prevent them from emitting audible yawns.

It is definitely a two way street when dealing with this. Humans by nature work on incentives. Unless the user has an incentive to be in the training, they will not want to be there, and if they don’t want to be there, they will learn nothing. If you as the educator can get this to work, you will gain YOUR incentive, too.

There is an important line drawn between appearing to be diligent with providing staff training so you can check a box saying ‘complete’, so if something goes wrong, you are not to blame. Or ‘actually being diligent’ in educating your staff.

I have heard of companies giving employees tests after a training session, and proceeding to give the highest scored employees some sort of incentive (be it some time off work, a small bonus, a gift card – whatever). But in my opinion, THAT IS WRONG.

I think I have a good grasp on how people operate. And my years working in advertising might have changed my opinion on a few things over the years.

There will only be a ‘few’ which will actually try to gain this incentive for getting a high score after a training session. The rest won’t be bothered, or fear they have no chance at beating their nerdy colleague. The whole concept of offering a competitive by nature incentive to staff will actually switch off a large percentage of users from participating. It becomes a competition in which they have no interest in competing (for any range of reasons).

So what is the answer? How do we change the mind-set of employees to be ‘more secure’ when doing your organisation’s daily business? What will ‘get them to listen’ when they won’t even sniff the half rotten carrot that you are dangling before their (ever so sleepy) eyes?

Incentive. Real incentive. Not tangible incentives, but intangible incentives. You need to give staff a treat, give them something relevant to their lives and their day-to-day duties within the company. You need to give them something they care about, and something they can take away from this which will benefit them anywhere they go (not just within your company).

What is the magical elixir that I am proposing? Surely I am about to try and sell you some product that will fix this right? Right? Wrong.

STEP 1:

PR. To begin with, your IT function should be heavily vested in public relations within the company. To have a functioning IT team working in tandem with other divisions, you need to keep up appearances. You need to sell your department, and promote it. How many people do you hear say within their company that “IT is slack” or “I am still waiting for the damn IT department to fix my printer!”. There is usually a divide between users and IT. If there is a divide, then your IT function has already failed. (This is a whole other topic; I will make a post about this in the future).

As an IT (or IT security) function within an organisation, you should already have a regular spot in the company newsletter (or equivalent) where IT tells users briefly about the work they are doing to make things ‘better’ and ‘faster’. Keep it untechnical but interesting (yes, it is possible. Relate it to something which makes users feel they will benefit from it personally) Example: “This month we will be upgrading our storage servers. This means that there will be more space for people’s Emails, and you won’t have to constantly phone us up to help you clear out your inbox! :-)”

You should give users small fun tips regularly as well (be it newsletter or Intranet). Example: “You know when browsing the Internet, the middle mouse button opens a new tab. It’s awesome, try it” and “if you have a bunch of files open and want to get to the desktop real quick, hit WINDOWS+D.” People like this, they learn from it. Why? Because it relates to them personally.

People use computers all day…in the office, and at home. When you give staff titbits of fun information which they would ACTUALLY USE, they love you for it. +1 to the IT team. If users are happy, the managers are happy, thus meaning YOU, the IT team is happy… trust me.

STEP 2.

So to relate this back to a successful security awareness training programme, you need to sell it to the users. Put little notices (read: ads) in the weekly/monthly newsletters and Intranet well in advance leading up to the date. Make it stand out, and make it noticeable. Here is an example below:

An example of a poster to promote your training

Put flyers around the office somewhere, or in the kitchen. Get people to comment on it and talk about it (be it negative, positive, or just curiosity). Make them want to attend, if for no other reason to find out what all the fuss is about. “You obviously haven’t done this before have you Marts? It’s near impossible to get users excited about attending awareness training!” I hear a few of you say. But that is incorrect.

You might think that pulling a stunt like this would have an adverse affect. People often can read through the lines and smell propaganda. But the point you want to make is to get people ‘aware’ of it, and discuss it. You have already won a small battle if you can do this.

The main point to remember when training users is… RELATE IT TO THEM. If you provide users with interesting, educating facts about subjects which relate to them both in the office and at home… they will listen. They will learn. They will enjoy it. And guess what, you will now have an organisation full of security aware personnel that aren’t afraid to ask questions or talk to IT about anything suspicious they may come across.

Below I outline a few techniques on what to teach users, and how to do it.

Traditional Example: “Internet Security”

“We here at company X don’t want user’s browsing any non-work related sites. Do not click on any suspicious links as it may infect your PC with a virus”

FAIL

How it should be done: “Tips to keep YOU safe online (at work and at home)”

“Did you know that millions of people every year get their credit card details stolen? Did you know that millions lose their identity which leads them to debt they can never get out of? The fact of the matter is, the internet is a pretty dangerous place so even when you are at home, you have to be careful of what you do. For example, someone could add you as a friend on Facebook. Facebook told you that you had 20 friends in common. You haven’t heard of them before but don’t really care. By adding this user, you are potentially opening an open door to a criminal steal your personal and financial information, be it at home, or here in the office. We don’t like that, and I am sure you wouldn’t either. Here are some slides on why this is actually dangerous and how it works, and how to prevent this from happening to you.”

Proceed to show slides, or even videos on how attackers can do this and a few tricks they can use to protect themselves. Talk to the group about stories you’ve heard where this particular attack has ruined lives, and businesses. Engage them and encourage dialogue and thought. Perhaps show them the Robin Sage Defcon talk – entertaining as it is informative.

SUCCESS

Staff will listen to what you say. They will be surprised. They will learn something. They will wake up and pay attention. And guess what? Your company will just happen to reduce the risk of a spear phishing attack on one of your staff members. You will also reduce the risk of a user’s home computer being compromised which could lead to business information being compromised (remote logins, emails?). You have just increased the security posture by a notch for your entire organisation by showing the users this one segment alone.

Now do this to the next subject. Talk about ‘secure passwords’. Show them how easy it is to crack a password. Hell, fire up JTR and crack a test password before their eyes. Make it interactive. Maybe at the beginning of the session, start with password education, launch off an attack on a hash, and come back to it at the end. This is engaging, and the users will soak up this information. Show them that they can use pass-phrases instead of passwords to be secure, and which are actually easier to remember. Give them examples of how to use this for every site or location where they need to use authentication. Again, both at home, and at work. (I wrote a post on helping people remember secure pass-phrases here)

During this session, perhaps have a keylogger installed on your presentation laptop. Do an experiment and get a user to change your password to a website. Then take over, and pop up the logs to reveal to the crowd what the password was. “Oooohh Aaaahh” will emit from the room.

This is what you have to market. Market to the staff that they are in for a treat when they attend the training. Tell them they will learn some cool stuff and take home information that people would usually pay money to receive.

Tell them what encryption is, and show them how easy it is to encrypt their sensitive information at home, and relay that to how the business uses encryption.

Show them examples of social engineering. Even play them the YouTube clip of Johnny Long’s talk on ‘no tech hacking’. Show them how criminals do this relentlessly, and to be vigilant when fielding phone calls or responding to emails in the office.

Write up a security manual to give staff after the training which they can take home and read. Offer resources to those who want to learn more. This is all coupled with your regular tips you put out with your regular IT PR I mentioned earlier. Security isn’t a band-aid solution. It is an on-going process.

Organisations need to look after their staff. If staff are feeling un-appreciated or jaded with their mundane office lives, they are more likely to care less when it comes to security. And care even less when they are herded into a boardroom for some ‘boring’ security training. And that is one of the biggest security risk your company will ever face. The insider threat, be it malicious, accidental or just plain careless. If the attitude of your staff is along those lines, you lose. Fix this before trying to fix anything else.

You have to give staff something in order for them to give it back. Provide them with good information which they can actually use. I can’t stress this enough. Rewarding them with this, and they will reward you in return.

You have to encourage dialogue within the organisation amongst users and the IT functions, as well. Your job in IT is not just to keep the systems running, or to keep the firewall in check. It is your responsibility to share information and help users in matters such as security. You are a skilled professional and people generally want to learn things which will help them benefit in life.

If you or your organisation does not have the expertise to deliver this type of training, you should consider hiring a consultant. You can spend thousands of dollars on new equipment to try and minimise your security risks, but the most often overlooked security risk is the users. The people sitting inside your network (potentially making those thousands of dollars you just spent on a firewall pointless). These people already have access to the sensitive information. This is the area you need to invest money in.

If you have a technical person trying to deliver this training to people, but all they can deliver a list of ‘do’s and don’ts’ – the staff won’t learn, and you’ve just lost X amount of money in productivity from dragging skilled employees away from their duties. The money you spend on ‘real’ training will pay for itself.